Monday, 21 November 2016

Secure Your Online Banking (And Personal Data)

Secure Your Online Banking (And Personal Data)

Tesco Bank customers were powerless to prevent hackers stealing hundreds of thousands of pounds from accounts, but there are still ways you can secure and protect your money and data

There was a time when people implicitly trusted banks. They certainly seemed to be a far better alternative to stuffing your cash under the mattress, and they had an air of authority about them. How how times have changed, though. Many of the grand old branches of yesteryear have long gone, and we've lived through a period of such great insecurity that many banks have had to be restructured. One - Northern Rock - even collapsed after becoming the first in 150 years to suffer a run.

If that wasn't shocking enough, we've seen bankers vilified for the recent, long recession as well as a rise in bank card and ATM fraud. Little wonder banks have struggled to regain the trust of their clients - and that's before we even get to the problems some of them have suffered online. As much as banking has proven to be very convenient for us, it is also rather handy for hackers. You only have to ask customers of Tesco Bank to see just how bad things can get.

Some of them were hit by a "a systematic, sophisticated attack" on November 6th, and it could deal a devastating blow to the banking sector. Hackers managed to infiltrate Tesco Bank's systems and access as many as 9,000 accounts, fleecing them to the tune of hundreds or, in some cases, thousands of pounds. The strike has since been dubbed "unprecedented" by the Financial Conduct Authority and, while the bank says it knows the exact nature of the attack, it caused uproar and great unease among its customers.

Many of them took to Twitter to vent their spleen (only to find that Tesco Bank was initially wishing everyone a good morning and hoping everyone had had a good weekend) and there was disbelief that such a large-scale attack could have taken place. Tesco Bank ended up being forced into stopping all online transactions for current accounts, and then refunding the stolen money - all £2.5 million of it - within days.

However, as the National Crime Agency (NCA) began its investigation and Tesco Bank's CEO, Benny Higgins, looked to limit the damage, there was a nagging feeling that such a strike was inevitable at some point along the line. That’s not least because it is far from being an isolated incident; in fact, it's one of dozens of attacks carried out on banks around the world each year. Back in February, for instance, HSBC was targeted by online criminals using a distributed denial of service (DDoS) attack that knocked out the accounts of 17 million personal and business customers in its wake.

Meanwhile in March, in one of the most brazen attacks of its type, hackers breached Bangladesh Bank's systems, stealing its credentials for payment transfers and immediately bombarding the Federal Reserve Bank of New York with more than 30 money-transfer requests. Only a simple spelling mistake - foundation was spelled 'fandation', we're told - stopped the $1 billion scam in its tracks. Had the perpetrators used a spell-checker, it could be been a disaster.

It currently seems that if a group is determined enough to break in, there is every chance they will do so - and that when they do that, there is nothing any of us, as individuals, can do about it. That's a frightening thought.

Rising Crime

That's how it feels, but how bad is the situation really, though? Well, according to figures reported by Reuters, there were five reported hacks on UK financial institutions in 2014/15 compared to a staggering 75 so far this year. That may not even be the full picture, however. A Reuters reported back in October alleged that UK banks were withholding information on cyber attacks to avoid bad publicity, and that they were reporting figures lower than the real numbers.

It was suggested that one large financial institute was suffering as many as two billion potential hacks each month - 200 of which were treated as "real events". An anonymous Reuters source said: "Banks are dramatically under-reporting attacks. They do what's legally required but out of embarrassment or fear of punishment they aren't giving the whole picture."

One thing's for sure, hacking is well and truly on the rise. We may have to get used to these kinds of attacks in the future and perhaps even re-think how we bank. Experts suggest it's only going to get worse, not only in the long term but right now. "With the busy Christmas period soon upon us - not to mention 'Cyber Monday' later this month - we would expect to see a spike in the number of online frauds in the coming weeks," Jody Baker, head of money at, told The Independent. It's frightening, sobering stuff.

So are we better off throwing our arms in the air and giving up? Not at all. After all, so many of us bank online these days (the Office for National Statistics says more than half of Britons used internet banking in 2015) and we enjoy the convenience and immediacy of it. We just need to remember that we get refunds if the fault lies with the bank and that we are able to do something about the great many hack attacks that are aimed at individuals each and every day too. The key is to figure how best to protect ourselves so that we're much less likely to blame if something does go wrong.

Taking Steps

Exactly how, though? Well, the first step should be finding a financial institution that offers you the most secure online banking you can find. You may think that they all do this, but it isn't the case. In fact, the methods your bank uses to allow you to access your money on the web may not always prove to be the best, most fool-proof way of doing it. Indeed, consumer action group Which?, compared a whole bunch of online banking websites and apps in its current issue, and it found some were far more secure than others.

TSB came bottom, for instance, slammed for not offering two-factor authentication during its login process. It wasn't alone in that, though: just five of the 11 banks Which? tested use the two-factor method, promoting the report's author to write: "We think that any bank failing to use two-factor authentication, particularly for login, is putting customers at risk and needs to introduce it." Worse, the reviewers also found that someone needed just the username, date of birth and account information to reset a forgotten password with TSB.

Meanwhile, First Direct and FHSBC took up the top two slots. Owned by the same organisation, accounts with these banks require a special key fob or mobile phone which generate a one-time code that needs to be inputted when logging in. Codes are also needed to make payments and there’s a block on opening more than one tab to access the accounts. This is far better, especially in light of the latest figures on fraud. It is currently blighting online bank accounts to the tune of £133.5 million.

"If a bank customer is tricked by fraudsters into transferring money themselves, they have no legal right to seek compensation from the banks," Which? said. "Some victims have lost their life's savings." Which brings us to a second point: be very wary about giving personal details, especially account details, to anyone - ever - whether it is on the phone or through an online request. Hackers are becoming ever more sophisticated in their phishing attempts (the phrase used to describe social engineering tricks used to get people to part with sensitive information like passwords), and you really do need to be on your guard.

Be More Secure

Many phishing attempts should set alarm bells ringing straight away. A common trick to look out for are emails that claim there has been an unauthorised transaction on your account, asking you to click a link and confirm your identify. It's far from the only one, though. Others may say you've been overcharged, or that your information couldn't be verified. The most sophisticated ones may even be targeted to individuals - perhaps knowing that you've just done something and using that information to lull you into a false sense of security.

"Many people let themselves be fooled into deliberately making payments to people they shouldn't. In that case, no technical measures will help you," says Ross Anderson, professor of security engineering at the Computer Laboratory at Cambridge University. "For example, you owe a supplier some money, and they email you to say that their bank details have changed. You don't check back on the telephone, and send the money to the wrong place. This is a rapidly growing scam, and many company finance departments are quite blind to it."

If you do receive an email (or indeed a text or call) of any such nature and you're worried about it, then make some checks. Pick up the phone or go directly to your bank’s website and log in, checking that everything is okay. Many banks will have an inbox on their website that will alert you to problems so have a look there. Most likely there will be nothing wrong, but you'll have avoided falling prey to a fraudster. Taking time to check is not a waste of time.

Just remember that no legitimate bank, or indeed any company, will ask for credit and bank account numbers, passwords and so on in emails. The only exceptions are when your cards may have expired and a company has tried to take money. In such instances, you'll be able to check this by looking at your card. Again, go direct to a website rather than click a link and forward any rogue emails to the bank's fraud department, the details of which you should find online. This helps the bank stay on top of scammers and it could save someone else a lot of hassle in the future.

You should also be wary about where you are carrying out your online banking. "You want to protect yourself from the bad guy sitting between you and the bank." says Prof Ross. "When you think you’re authorising a payment of £50 to me, you're actually sending £500 to him." At the same time you should consider what machine you're conducting your business on too. "Don't use a Windows machine if you must bank online," Prof Anderson continues. "Use something like an iPad for which there is no malware currently available, at least to low-grade crooks (the NSA has some, but if they're part of your threat model there are other things you have to do)."

To that end, it's always good practice to use a secure broadband or wi-fi connection, ensuring you are using a wireless router with Wi-fi Protected Access (WPA or, preferably, WPA2) and with a password different to the default (you can check the security of a password at Certainly, you should stay away from using public hotspots: never send sensitive data such as credit and debit card number over such unencrypted wi-fi hotspots and reconsider automatically joining networks when you're put and about.

Experts actually suggest you are safer using your cellular data plan than a public wi-fi connection because it's more difficult for hackers to sniff out such a stream than it is to pluck passwords from network traffic. It is sound advice, but it is not 100% foolproof. Leonid Burakovsky, senior director of strategic solutions at F5, says 3G networks use a protocol called SS7 which is hard to penetrate but 4G uses an open protocol that is actually easier to access. "This can open mobile networks up to a greater number of very real threats, meaning the onus will be on mobile operators to increase their efforts to protect users, network and applications," he told Mail Online.

"The main security problem with 4G networks is that user information can become easily available to hackers via, for instance, 'man-in-the-middle' attacks, and hackers can compromise new services like mobile health or mobile commerce." Better then, to conduct your banking from home on a secure network using one of the banking sector's most secure apps that you keep up-to-date. If you're still not convinced that you can make a difference to your own online banking security, then consider the consequences of not even trying.

The Brick Wall

If a bank suspects that you have been negligent and failed to keep your card, security device or your PIN and passwords safe, then it won't make an immediate refund. The terms and conditions of many financial providers make this clear in the small print, usually stating that you have to act with reasonable care and in accordance with its terms and conditions.

Disclosing your security details to anyone, either directly or because you've been careless in some way, is a big no-no and there are hints that some banks will investigate your actions as much as a hacker's. Lloyds states that you'll be liable for payments "if we can prove you have been grossly negligent with your device or security details". They will pay up if it is their fault, though. Luckily, in the case of Tesco Bank there was no question that the money would not be refunded, but it should serve as a wake-up call for both us and them.

After all, it shows that we can never be too careful, and that the days of people pulling on a balaclava to physically rob a bank ending in favour of opening a laptop to do it. By using every security feature handed to you by the bank and the tips on these pages, you should be able to rest easy in the knowledge that you're helping make the thieves work far, far harder for their money in the future.

Protect Your Phone When Banking Online

Since many of us are using our phones to check account balances and transfer money, it is a good idea to ensure that they are protected against potential hacks too.

Passcode Lock Your Smartphone
Enable a passcode or password on your phone and ensure your handset will lock up after a set number of attempts. Unless a thief is lucky, this security method will work well in keeping them locked out of your device, protecting the information and apps that are on there.

Install Anti-virus Software
It's worth running an anti-virus package on an Android phone or tablet because it is possible they can become infected with malware just like your computer. Don't worry if you have an Apple device. This is not an issue for non-jailbroken iPhones and iPads.

Keep The Apps Updated
Some banking apps will tell you when there is an update available, while others will have you hunt around an app store to find out for yourself. In both cases, check and install because the updates are likely to include extra security for added peace of mind.

Don't Write Stuff Down
You may be tempted to jot a reminder of some of your details in a note-taking app, but this kind of sensitive information is dangerous in the wrong hands and you'll be kicking yourself if it is used to prise open your online bank account.

Keep In Contact
If you lose your phone, you can't help but feel a sick thinking about the photos you may have lost and the price of a replacement handset. Think about that banking app on there first, though, and contact your bank immediately. Also tell it straight away if you change your number.

Watch Who's Behind You
Are you tempted to check your bank account on public transport or in a cafe? As well as being concerned about the security of your connection, you need to look around: is someone peering over your shoulder as you type in your sensitive information?

Get Into The Habit
Some apps have a way of quickly checking your balance without having to log in. Sure, this means anyone could potentially open the app and see how much you have (or don't have), but by getting into the habit of checking often, you'll be better prepared to spot and alert the bank to any discrepancies.

Log Out
Don't forget to log out of the app when you have completed a mobile banking session so that the risk of someone jumping in before it times out is eradicated. It's a simple enough thing to do after all.

Protect Your Personal Data

As well as ensuring your bank account can't be compromised because of something you've done, you should also lock down your personal data. Here's what you should be doing.

1. Lock Your Computer
Make sure you have a password on your PC or Mac (Windows, OS X, macOS and Linux allow you to create them). That way, if your computer ever gets stolen, it will be more difficult for a thief to access your files. Get into the habit of locking the machine when you leave it unattended, too. That way someone can't jump on to see what you're doing.

2. Protect Individual Files
If you have to store personal details on your computer, consider encrypting your files - a great deterrent against prying eyes. To do this using Windows, right-click a file or folder and select Properties, then click Advanced and check the box next to "Encrypt contents to secure data". One done, click OK, before selecting Apply and OK again.

3. Keep Anti-virus Up-to-date
Malware, viruses and keylogging software are your mortal enemy, so eradicate them by using an updated anti-virus package. At the same time, you really need to be careful about the sites you visit and the downloads you install. Most viruses are introduced because someone has opened a rogue attachment, downloaded dodgy software or visited a criminal's webpage via social media.

4. Make Back-ups
If you have personal data that you simply can't afford lose, for heaven's sake back it up to be doubly sure. You can use File History in Windows 10, which scans your file system for changes and stores them on an external drive which you can then put under lock and key. You may want to avoid putting sensitive information such as banking details in the cloud, though. Services such as Dropbox, iCIoud, Google Drive or OneDrive are secure but not foolproof.

5. Be Careful On Social Media
If you're listing lots of details about yourself on social media then a clever hacker may be able to piece together information about you. This could help them access your bank account, easing them through the security questions. Check those privacy settings on Linkedln too - especially if you've pretty much uploaded your entire CV.